| C A R T E L / 9 7
   | - - - - - - - - -
   | University of Michigan, Ann Arbor
   | June 24-25th, 1997

Meeting notes from June 24th -- morning

(from Scott Brylow, Stanford - edited by Gavin Eadie, UMich)


Peter Honeyman

UMich - Director, CITI

Marshall Vale


Neil Jackson

CMU - Manager




Dug Song


Mike Oldson

Peter Honeyman


Charles Antonelli


Jonathan Weise


Janey Kuan


Frank Kletzke






Paul Hill










Joe Gelinas






Gregg L


Walter Wong


Mark T.


Andy Adamson

CITI - DHCP project, rewrite of Oracle db for inventory, smartcard integration and single signon.

Steve Rothwell

ITD. K4 for NT, cache and memory issues

Nathan Biggert

CITI K-web project

Jim Simpson

ITD, web auth project

Jean, Lucker

Stanford PCLeland

Dave Dutleffs

UMich - windows infrastructure

Michael Hay


Gordon Leacock

mgr for infrastructure services UMich

Kurt Hillig

UMich network admin group

John Schaefer

UMich campus comuting sites network. Moving to wireless LAN project lead.

John Vollbrecht

MERIT remote access stuff

Paul Howell

UMich CAEN (Engin) computer aided engineering network

CMU - Erikas. CMU split networking into engineering and software.

Completed fast Enet at core, Enet to everywhere on campus. 1 year, $1M after discounts. Offered to users a la carte solo 10BT, shared 10BT shared 100BT. No FDDI for core, just Fast Enet. Collapsed backbone in one room, so copper was cheaper than fiber.

Pushing on remote access. 56k X2 technology. Want to do ADSL, HDSL. Punted on ISDN but maybe down the road. Member of Inet2, but much work done at Pitt SCC, not CMU. Deploying campus auth scheme called ???.

Released new net mgmt system called Nadine. Hierarchical. Buggy.

CMU - Walter. Core is afs. FS upgrade. Ultra 1 2 scsi ctrlr, 2 big disks per ctrlr. Cautious, but safe. No analysis of traffic load or flow. Developing cyrus email things. IMAP and POP services that allows Kerberos. Major challenge is clients that interact well. NS Communicator doesn't interact well. Builds list of folders (IMAP) you export). But this includes other than IMAP stuff at CMU, so it takes up to 40 minutes. AMAP - distributed preference info working on this.

Authenticated web access - erin and parvis lead developers. Intergrate K and web infrasturcture. Want to get copy of Jeff's k-key signer. NT, trying to embrace. Better than others, not saying much. Working with K for NT. telnet client in rough shape, ftp rough shape. Klpr. Looking to integrate Nt into K. K5 is on the horizon. How do you move to K5 and maintain infrastructure. Transacr is pushing DCE/DFS world. Best arg is if they don't, admin will, and will do it wrong. Backup - How to integrate afs/dfs/k-dump into comm'l backup solution. Small DCE cell for testing. Not really advertised. Down when machine went away.

Mike Holtz - Cornell. 4-5 people touching on K as most of their job. Mike maintains Kclient for windows. 1 for future security architecture. 2-3 people sharing Kserver work. Project 2000 -- overhaul admin systems. Chose Informix. Said they will put K5 with GSS API. So, K5 needed sooner than expected. Moving slave prod servers to K5 within <6 months. Inet2 --doing cells and frames stuff for this. Have software Project Mandarin for sw distribution. K-auth to download licensed sw. overhauling dist sw and architecture (6-8 months). Looking at moving K client sw to K5. Person on mac side of distribution sw is busy so it's primarily Windows work first on Kclient.

MIT - networking. Moving to baset, switching to desktop stuff.

Installation of 5000 network drops this summer. Still wire, nothing wireless campus wide. Campuswide DHCP service in few months. Moving K5 to production. Thinking about public clusters of non-Unix machines. Work on mac and PC in sw distribution. Trying to use Installermaker, Installervise, WISE, adding ftp tools in there. Students working on GSS tools for users from outside ISP's. K4 work with people here tying to get memory cahce for NT, 95. Hummingbird ktelnet for 3270. K5 maintenance and bug stomping.

Jonathan - sysadmin side. Finishing upgrade of AFS from Dec to Sun. where next? Raid maybe.

Stanford - look at the web documents. Booker said we went to LDAP v.3 cuz of weaknesses in searching, and lack of flexibility in the protocol.

Gavin, reading the UM topics. Kitty Bridges wrote it. Works in Technology Assessment - was looking at discrete topics, now looking at more strategic stuff. Summarizing:

Writing AFS Kv4 with local mods. ID service called UniquName. Single Unix ID across campus, so its single login. DB replicated on 3 machines, UM wrote softare. Dist orientation for student, faculty, staff. Technology is easy, fighting through univ infrastructure, history, etc. is the hard part.

Decentralization and permissions issues loom large, athletics, libraries, housing, etc. are all unique cases.

Assign unique names first come first serve. Never taken away. Continuing education, etc. moved from afs Kv4 to Kv5, moving away from DCE as overall direction for now. Replacement service with working name of umbrella.

Developing Kbased auth service for web. KLP (K local plugin). want to get back to public key work again. Some msartcard research with bellcore. How to define who is and isn't univ member. SSN used as key in existing systems. Not reliable!! Accounting and billing - realtime system for distributed system. Allocating funds to 36k users. Metered service tracking with sanctions for running out. See the web pages. Writing an X500 server, thinking of moving to slapd. Locally developed LDAP clients.

Email readdressing done though X500. Metered printing services. SAMBA based solution for Mac, not yet for Wintel. FSAFS based. IFS (institutional) 17 servers, 28G max. eng college runs own cell -- 1TB on line! Only 800GB for rest of campus. Use namtive client from Transacrc for NT? Renegotiating Oracle site license after 8 yrs. Moving to IMAP4 this summer. NS hired entire X500 team from UM.

Vendor relationships:

Network Computers

UM told to look cuz they might be exciting. We don't have a lot of control over the hardware that is purchased. They are ok for browsing, but we do a lot more than browsing on campus. Some ACM or IEEE article said that of the 12 mgmt tasks on PC's, 10 exist for NC's as well.

Stanford - marginal interest.


UM - currently run MS Open License program (MOLP) sells licenses, right to copy for cheap prices. Through reseller (software spectrum, not very good). Cumbersome, paper-intensive. Not enough disks, software, etc. MS told them to copy it from their neighbors.

Looking at Select program. Process of doing a Select agreement with Select Express.

Site licenses end up around $25 for word, nothing but a number, no media, no docs, etc.

MIT - MS has audit clauses where they want to have the right to audit any machine on campus, including student machines. UM ignoring it. UM taking select program without some of these onerous terms. UM said if you want to audit, you bear all the costs. UM general counsel does not try to change T&C of any MS contract. MIT wants schools to band together to push on MS.

Stanford -- don't know what if any program we're in.

CMU - select program. Person handling agreement is the computer store guy.

Alerted him to contract clauses. Hard to say if we got a good deal.

Cornell has not had site licenses in the past, but is considering that now.

MIT - asked if anyone was talking to MS about source code access.

They have 33 signatories to their source code agreement but know only 3 of them that are working on it and they are cooperating with them. No reason to give current sources to the other 30 firms.

Sun - working to get Java stations deployed around campus (Walter, CMU).

Can they leverage for free servers? If so, it may be worth it. Otherwise, not enough interest in JavaStations. Best for people who can't admin machines, but CMU is good at admin tasks. Rather have an AFS station

UM said Javastations upstairs. Hard to configure. NIS and AFS setup hard.

Apple - UM rhapsody is a mess.

Cornell - previous directory of computing was MacHead, new Dir of Comp not as supportive. Project 2000 is People Soft based, no mac client.

MIT - agnostic about them. Not shrinking (was during SAP rollout). Treating win and mac same for SAP purposes. Purchased large-volume MacOS license to allow upgrades. MacOS 8 not breaking a lot of software, at least not for Kclient. MIT joined New Media Center to get multimedia hardware from Apple.

Added 2 more Mac developers. Working with Apple (old guard realizes state of things)

UM - Working less with universities due to hard times? Reaching out more at WWDC recently.

Talked to apple file system folks about an afs client release.

Stanford - some die hard mac folks at Stanford. No longer agnostic. Parts of SU by policy have eliminated Macs (libraries). Our CIO feels that Wintel is the correct choice. Still on our site license, supporting as best we can. MacLeland, Mac to SUNet, etc.

Transarc - UM has lousy relationship with them, killing off all they care about, pushing thing they don't care about. UM really pushed DFS, but services not better then already provided and much harder to administer. told transarc they needed to be flexible with DFS. Transarc said no, it's a product, we're not changing it. Won't give away client code. Chafing under restrictions. Very reliant on AFS. Loss of AFS would kill UM and Transarc.

CMU - site license with transarc expired this year. Got a 2yr extension.

They want CMU to adapt DCE/DFS. Talking with Laura Stents - close enough to top to do some good. Also taking with effinger (replaced alfred specter0 to see where they are going. Does it make sense to work with them to develop DCE/DFS? Will they let us help? Only reason to go to DCE/DFS is Oracle, just signed on with Oracle and concerned about auth and security issues with Oracle. UM points out that you aren't tied to Oracle to do auth and security. NetBill guys at CMU messed with DCE and regretted it.

Stanford has AFS in production mode almost 1 TB. Starting to roll out DCE, apparently production on 1 July. Not forcing users to it, but making it available. Heavy commitment to Oracle financials, which means we need some sort of K5 or DCE tie in to Oracle. Selected DCE, so it can do some K5 within DCE. Nervous about DFS. Servers not reliable enough. Hardware and sw up to date, sometimes DFS servers just die. Our other problems with transarc - NT client license terms. TA wants per client charge. $100??

CMU said argue that origianl agreement with TA might cover new NT client.

MIT bothered by lack of source. MS has IFS SDK for NT4 very recently.

What will lag be for SDK for NT5? Several months. Must buy for $1k on PO to install on 5 machines. Must have someone with signature authroity for NDA for your university. Then talk to Todd Nido who will write a letter saying install on as many machines as you want and refund your PO maybe.


CMU - admin group is saying they want to go there. Signed agreements with Oracle to go there. Planning on converting apps from Ingres to oracle.

UM has had Oracle site license for 8 years. Deb Masten oversees Oracle stuff at UM. Trying to come to terms for last 6 months. Heavily into Oracle in admin, hospital, academic depts. Had a very attractive price for last 8 years. Paying about 120k for maintenance this year. Want to charge $3.2M for capital and $3.0M for maintenance for next 5 years. Love to talk to anyone about negotiating with them. Stumbling block - want to have anyone come in over the web and view data on UM Oracle DB's and change it if they want -- sign up for mailing list, change addresses. Oracle says no. UM hammering them on this. Oracle says no one else wants to do this. Price goes up from 1) no one can look at it to 2) anyone can look at it price goes up.

Stanford working with Oracle Financials, it's an inner circle of hell, not really related to Oracle per se. We've been developing apps under Sybase for 7 years and been happy with it.


Cornell - regretted decision to pick them. On Project 2000, reason to veer >from Oracle was history of support problem. Informix - promised a GSS API based on K5, status up in the air, haven't done it yet.


UM (M-Pathways) - Peter. UM is hanging everything on PeopleSoft. P thinks they sold UM a bill of goods, did a bait and switch. Expected an enterprise scale DCE environment. Find that DCE is not-well-supported check-off item. Converting all admin stuff to work in a PeopleSoft environment for unified access across wide range of apps and uses. Sigh.

Originally offerred a beta test for student solution. Later bought into financial and personnel apps. Runs on top of Oracle (Informix)

Cornell is PeopleSoft for everything as well, rolling out over the next several years.

Reviewing architecture, 3 tier, PS servers on bottom tier, intermediate servers running Citrix servers and client machines (speaking modified Xwindow protocol, not secured). Next version will support over-the-wire encryption. Will charge extra for encryption. They are looking at how many immediate servers to support anticipated backend load. E.g. for student propulation, load model is bad since most to all students will be connected during a 1-2 week period at the beginning of each term.

They have changed architectural direction many times during development.

Security model is currently up in the air, not sure they can tie it down wisely or in time. Using std tools like SAR, packet throughput, round trip delay, packets on the link, delays on the link. Want an easy to port performance product for testing PS on many platforms

IBM - no discussion

Netscape - still hiring away from Univs. Thought of Cartel as not paying customers so not interested in developing K support.

CMU - what happened to SNAPI? Bought into dev edge gold membership in order to submit bugs and get a report back. Developing plugins found numberous bugs in their API. Found a code path that would crash application. Not helpful customer support. Issues with security stuff -- bugs that they don't help (way to slip name through without checking.

Threatening to talk to CERT didn't scare them. Email transcript where danish firm tried to extort money from them about a bug. Gavin will come up with URL.

Is anyone using servers? CMU using NSAPI for K stuff.


UM tough position, working on a software grant. Talk about it, but when it comes to real work they don't deliver. Always in transition. At least a year before they make any progress. Over 250 servers in NDS production directory. It's stable. Has solved multi-master read write replication problem. NDS is not integrated with anything else (not with X500 or anything).

CMU - had a similar sw grant like UM. Recently they shut down the grant. Held up for $30k/year for 3 years. Existing users can live with what they have now. With their # users, by person costs would have been $60k, so it was 50% off. 12k users. Lowest number per is $5/user?

MIT - not doing much, running a central DSS with small NDS tree. Some depts asked to join and were kept out by saying NDS stuff was unstable and unsupported. Some discussions of source code availability of NDS servers. Not back compatible over 2 versions back. Don't know what they are doing about NT5.0

UM had agreement for meetings and work on K for Novell -- never happened.

Cornell - no idea.


CMU - sgi came around. Disappointed no campus support for them. Went with supporting IRIX6.2, small graphics lab. Faded off into the background.

Not as aggressive as last year.

Stanford. Got pitch, weren't interested cuz of ongoing security issues, absolute lack of access to source.

MIT supports Sgi, thinks they are neat. Caught between SAGI and transarc.

Indy and O2 have different OS's, different kernel architectures can't easily overlay AFS stuff. Indy's are on 5.3 (want to upgrade to 6.x later, probably 6.2) O2 need 6.3, Octanes need 6.4, other stuff need 6.5, not available until end of the year. Not only CPU, but 32- or 64- bit.

CMU - have indys and o2's running various versions of IRIX running various versions of OS, and K stuff, talk to them if you have specific questions.


UM - had a BigTen consortium looking at DCE as method for sharing auth between bigten schools. Web access, etc. Involved with their WebCrusder product. Not doing that well. Competition coming now, probably eat them up.

CMU - G told them they are doing exactly what they want, but more features, easier to use, etc. weren't able to tie them down. UM said there is a real prodjcut, proxy approach to auth (another process on your browser connects to your


MIT - no hardware

CMU supporting 9.07, some push to go to 10.20 (by group getting free HW) but thinks Wintel hardware is cheaper. Only doing it for workstation. Not used for infrastructure.

Stanford - had HP hardware forced on us. CS dept gave some nice grants, so we have some HP's. Not interested in supporting this platform. Popping up for Craig as they get pushed down by Neil. Lots result of foray into Oracle Financials since HP got pushed as platform for Oracle. Also, looked at Presidium auth server. Looking at it for a year or so, works with K5via GSS or DCE. Only runs reliably on HP-UX. Been very responsive developing presidium software. Were alpha, so HP did what we asked. Running in CDE and on top of K. Solaris and HP, Kv5 libs work. Adding proncipals to Presidium.

UM - didn't get HP to invest in Presidium R&D work.


MIT - buys alphas sometime, no real relationship. Gave MIT a hard time about hooking storage up to other (non-alpha) CPU's

Stanford moving away from CPU's, but doing a bunch of RAID storage stuff.

Some parts of campus still run DEC by dept.


Put out an RFP for computationally computing in a higher end environment. $70M allocated, Max per univ of $6M over three years. Deadline was end of May. MIT RFP was not well coordinated, asked for $8M over all depts. Late last week, heard that Intel might be interested in funding ~75%. CMU asked for $6M and heard interest from Intel. UTAustin asked for $5.4M,

UM (School of Informaton) asked for $5M. Really pushing windows/NT as far as Intel is concerned.


Platinum - PC Enterprises, PCI services. One server running. Possible to use K5 dll from them rather than building it or using MIT's. Client software for Mac, 95 but not NT. Said they were not interested in NT client development.. Stanford wanted to avoid client side K development.

Support direct from the company.

CMU Walter talked to them, they said you can't use Kclient distribution that exists, you need to use the PCI Kerberos stuff. That's cuz they added some API stuff without cooperating with the MIT folks.

UM had a license and let it drop this year cuz of lack of NT client and problems with 95 version. Never actually deployed. Carried the license for 3 years while they evaluated it.

Few site licenses, mostly volume purchases.

Using keyserver for distribution.

Hard to band together, difficult enough to accommodate diversity of UofM.



Gav suggests start at the fattest pipes and move toward the thinner pipes.


CMU is attached to this recently. Cornell only other school here with wide VBNS access

UM getting 2 x OC-2 lines from Chicago to hook up to VBNS stuff.


CMU letting Pitt SC center do all the work. Pitt supercomputing center making a gigapop to serve CMU, PennState, etc.


UM played with it, a fair amount in the Eng College. Peter likes potential for QoS interface. With FDDI and fastEnet, you have to roll your own.

FDDI backbone around since 1989. Person running their bandwidth is thinking about FDDI switch. 1996 Utilization of FDDI ring was 30-40%.

Staying away from ATM cuz of IP over ATM questions.

CMU - Network 2000 using Fast Enet rather than ATM. Peter surprised cuz frame size is so small. Leaning toward GigEthernet, working with Cisco to do a rollout.


FDDI and other DDI's

Stanford did FDDI instead of switches cuz switches didn't support multicast.

UM wants big switches on the backbone

CMU says CGMP on top of level two switching from Cisco they have started playing with it.

Campus Backbone


Spent a few M$ on a test program NCR/AT&T/Lucent 2Mbps wireless ethernet. Not a resounding success. Lucent hadn't considered a 3D building, they thought of it as a stack of 2D bldgs. Still an experimental project. 6 bldgs, 30-40 wireless clients and 120 base stations. 25 users in a bldg mean that you get 28.8 performance, drops off worse after that cuz of collision resolution. Lack of troubleshooting tools. Hard for entire classrooms of students, good for smaller meetings.

Ethernet, other 10Mbps

Cable Modems

CMU - local Cables companies have trouble with plant, not yet interested

Work with Bell Atlantic to do ADSL 1Mb to home 100kb from home. Also working with Peregrine for HDSL 768kb bi-directional

Continental doing this in the suburbs for >1 yr, city of Boston doing something this year.

MIT Media1 Cost is 50-60 / month, up to 4 machines.

Doing chooser and my neighborhood and seeing your neighbors computers.

Remote access



CMU - auth of remote users, trying to push on remote stuff this year.

MIT frame relay from NYNEX in WAN for frats, etc., moving to point-point T1.

UM librarians believe in utter openness. Let anyone log on. Reading news, sending mail from

NS installed since October. Proposing that anyone can use the resources, they just have to identify themselves (ID card at the desk)

Stanford - has govt documents section, reqd by law to provide public access. NS kiosks available


CMU - tested in '88 found it OK but very expensive.

UM adding ISDN, have some in AA now. Will be some in major MI cities.

Growth rate for ISN is relatively slow in AA. Deploying with boxes that support digital modems so lines into box will be ISDN lines, support digital modems as well.

56k X2

CMU deploying it, found the bug but deploying it anyway.


MIT - renewing 28.8 pool with Cisco 25xx ready for ISDN stuff

Stanford 14.4 modem pool. Netcom made a good deal with campus for 28.8, so we got out of modem fixing business. All their pops in different area codes. Metricomm wireless service 9600 to 112k (with no 900MHz interference). ISDN is also offered by 3rd parties.

UM remote access linked with State of Michigan remote access. 92-93% of state have dial access. Authenticate at home, 30k subscribers modems around state owned by different institutions, but shared via complicated set of rules. About 700 modems in AA, 100 modems elsewhere in shared hunt groups. 800 number for national dialup. Access through ADP and autonet. Interconnecting with IBM Global Network (Advantis?). Roaming services - allow ISP's like Netcom so you can dial into ISP's and get charged at your home. UM interested in supporting this. All tied together with Radius proxy servers, auth based on userID. UM now gets revenue for modem use - $4.40 per month, 11/22/44 cents/minute for peak, offpeak, dead times.

CMU has no way to bill but they limit usage to 15 hrs peak per week, surveyed weekly, enforced after 4 weeks overage in a term. Warnings each week. Diagnostic calling to track problems and localize problems they wrote it. Giving up on recommending hardware since it's a low priority and no one listens anyway.

Inverse Networks does stats gathering from users quietly (logging modem connection failures and then delivering to some service on successful connections.


Any concept of auth for services based on lookup to see that they are still a valid commnity member?

CMU hacked some code for this -- if you get a login prompt, you need a userid and passwd. If you are in another cell of CMU, you can use username@realm.

AUTH stuff -- see CMU pages which assumes a principal, runs on Cisco switches but could be ported, runs on IP, IPX, AppleTalk right now. Talk to Erikas. UM endorses this.